Title	
Enforcing Integrity and Software Fault Isolation in Microkernels with CHERI

Authors	
Georg Lauterbach, Bohdan Trach, Horst Schirmeier

E-Mail	
georg.lauterbach@mailbox.tu-dresden.de

Affiliation	Technische Universität Dresden

Abstract	

Up to the present time, the predominant programming language to write operating system kernels in is C. While C is widely regarded to be a perfect fit for low-level programming, its inherent limitation lies in its memory unsafety. Especially microkernels, which dominate of system software for high-assurance systems, employ a vast number of tools to lint, check and test code in various ways to eliminate memory safety issues as much as possible. Time and experience have shown that this is not enough to eliminate memory safety violations though. A major reason for a lack of adoption of solutions is the absence of backwards compatible solutions that offer memory safety for C-based Trusted Computing Bases (TCBs) while retaining a solid performance. Capability Hardware Enhanced RISC Extensions (CHERI) -- a hardware-software co-design project -- aims at solving exactly this issue, staying fully backwards compatible to a given base system architecture while offering new techniques to enforce spatial and referential memory safety for C-based TCBs. CHERI claims to be easily adaptable for application software while keeping a solid performance without major bottlenecks, employing a solution that is already well-established and well-grounded in research: capabilities. CHERI extends integer-based pointers with extra metadata and permissions to create architectural capabilities that are subject to specific usage rules to maintain memory safety. Moreover, CHERI offers new techniques of switching between protection domains that may become interesting for systems that suffer from IPC overheads. Microkernels would heavily benefit from the promises that CHERI makes. My research investigates whether CHERI's claims of being easily adoptable hold up for microkernels and which impacts a transition to CHERI currently has on a microkernel project. I also wanted to find out whether CHERI has a non-negligible performance impact on the system. Therefore, I adjusted the microkernel developed at HUAWEI Dresden Research Center (DRC), a kernel similar to the L4 series of microkernels in its philosophy and design. We also show preliminary performance measurements taken on ARM Morello hardware. My findings suggest that while the effort of porting is indeed limited, it remains non-trivial for kernel code. Especially certain areas of the kernel are disproportionally affected by the changes CHERI requires. The kernel code is now memory safe in terms of spatial and referential memory safety. The Morello boards allowed for first performance tests, albeit without micro-architectural optimizations that a commercially deployable product would see. We found significant performance overheads as the result of kernel code that does not compose well with CHERI. Current work suggests that porting a kernel to CHERI can only be first step in exploring the project as a whole though, possibly unleashing even more potential down the line by utilizing more of the advanced concepts that CHERI packs.

Language of the Presentation	English